ASP.NET Identity and Windows Identity Foundation (WIF)?

Asked

Viewed 483 times

11

Once again talking about ASP.NET Identity. There is another theme within this same subject that I believe is of great importance to the community (mainly to me, the main interested). This is the Windows Identity Foundation (WIF).

What is this? What would be a basic example of deployment for educational purposes only?

2 answers

5


Good I think for a good understanding, it is not enough to just translate something from MSDN or Wikipedia, Explanatory Material here.

Windows Identity Foundation (WIF) is a Microsoft software framework for creating "Identity-Aware" applications. It provides Apis for building ASP.NET or WCF based on security token services, as well as tools for building applications capable of "Claims-Aware recognition".

Claim-Aware is a common way for applications to get information about who is logging (Identity) within the corporation, or even on the Internet. It also provides a very solid approach to running intranet or internet applications. STS Authentication works by issuing a token by an identity certifying agent. Read about STS here

An example of authentication with STS is on this site: Nfp SP with accessing with the certified digital option.

Now that you’re already contextualized, time to get your hands dirty.

To develop an application with STS authentication, you first need a server that is digitally signed so that it can issue your token. Then you need to add this certificate to your Trustedissuer List (example here)

After all this it is necessary to implement an authentication based on Windows Federated Authentication. It is very common to use smartcards for this, just putting your PIN number and unlocking access to the application. Ah, the Card in turn needs to be made by a reliable agency, For example, the official press.

The example I will use is using an application written in Asp.net MVC authenticating by WIF.

public abstract class SecurityController : Controller
    {
        // Fields 
        private IdentitySection _identityConfig;

        // Methods 

        [AcceptVerbs(HttpVerbs.Post), ValidateInput(false), AllowAnonymous]
        protected ActionResult ProcessToken()
        {
            var wSFederationAuthenticationModule = FederatedAuthentication.WSFederationAuthenticationModule;
            string str = null;
            if (wSFederationAuthenticationModule.CanReadSignInResponse(System.Web.HttpContext.Current.Request, true))
            {
                str = System.Web.HttpContext.Current.Request.Form["wctx"];
            }
            return new RedirectResult(str ?? wSFederationAuthenticationModule.Reply);
        }

        [AllowAnonymous]
        public ActionResult SignIn(string issuer)
        {
            var wSFederationAuthenticationModule = FederatedAuthentication.WSFederationAuthenticationModule;
            string str = null;
            if (!base.User.Identity.IsAuthenticated)
            {
                str =
                    new SignInRequestMessage(new Uri(string.IsNullOrEmpty(issuer) ? wSFederationAuthenticationModule.Issuer : issuer),
                        wSFederationAuthenticationModule.Realm, wSFederationAuthenticationModule.Reply).WriteQueryString();
            }
            return new RedirectResult(str ?? wSFederationAuthenticationModule.Reply);
        }

        public ActionResult SignOut()
        {
            var wSFederationAuthenticationModule = FederatedAuthentication.WSFederationAuthenticationModule;
            if (base.User.Identity.IsAuthenticated)
            {
                wSFederationAuthenticationModule.SignOut(false);
            }
            return new RedirectResult(wSFederationAuthenticationModule.Reply);
        }

        // Properties
        protected IdentitySection IdentityConfig
        {
            get
            {
                return (this._identityConfig ?? (this._identityConfig = (IdentitySection)ConfigurationManager.GetSection("federatedMvc.identity")));
            }
        }

    }


federatedMvc.identity é uma seção do seu Web.Config que conterá suas chaves de segurança para o seu servidor STS.

For example:

  <federatedMvc.identity securityController="Seguranca">
    <authenticationUris>
      <add type="Certificate" uri="https://CapsuleCorp/Identity.STS.Certificado/Login.aspx" />

    </authenticationUris>
  </federatedMvc.identity>

Then you need to add the section <microsoft.identityModel> on your web.config as well. and then point out the necessary items as an example:

<service>
      <audienceUris>
        <add value="http://CapsuleCorp.com/FindDragonBalls" />
      </audienceUris>
      <federatedAuthentication>
        <wsFederation passiveRedirectEnabled="false" persistentCookiesOnPassiveRedirects="false"
                      issuer="https://CapsuleCorp.com/Identity.STS.Certificado/Login.aspx"
        realm="http://CapsuleCorp.com/realm" reply="http://CapsuleCorp.com/home" requireHttps="false" />
        <cookieHandler requireSsl="false" />
      </federatedAuthentication>
      <certificateValidation certificateValidationMode="None" revocationMode="NoCheck" />
      <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
        <trustedIssuers>
          <add name="CN=CapsuleCert" thumbprint="89cf12ef1f36a9bacaa4e813a44bb699bb46c359" />

        </trustedIssuers>
      </issuerNameRegistry>
    </service>

after that Voce can consult all the resumed Claims by the Claim service, deny access or redirect to somewhere, then the sky will be the limit. And with this, based on each Claim, you will be able to direct your efforts, any questions do not hesitate to ask.

  • The one who voted -1, leave a comment so I can adjust the answer in a way you understand too.

3

WIF is an authorization model based on claims (statements) and not only in roles (roles) as is usually done.

With claims a user gets more information about it, for example, age 18 and favorite food is pizza, so in your app you can create creative rules about the claims. For example, a certain functionality will only be available to users over the age (18) and who like pizza.

This is a very simplified example, but to deepen the subject I suggest a reading on the blog of Israel Aece (link below) which has several posts in Portuguese on the subject WIF and claims.

http://www.israelaece.com/category/WIF.aspx

Complementing, with a more usual example, imagine several characteristics about a person in the work environment, for example, branch that he works, cost center, department, etc. All these can be affirmations, for example, Joaozinho works in the IT department at the São Paulo branch and has 10 years of company. Well, the HR system can now create certain creative rules (policies) to allow or not access to certain processes of the system, for example, request a bonus for service time. In this case you could have a policy that only allows this request for people over X years of home and a certain affiliate. Other than by claims it would be difficult to act in the form of roles, except to create a mechanism for this.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.